Pages

Monday, 27 August 2012

Of all the companies I have encountered while working on stories about surveillance technology used by police and governments, Italy's Hacking Team is one of the most intriguing.

The Milan-based "offensive security" firm manufactures a kind of spy software, called "Remote Control Systems" (RCS), that infects computers and mobile phones in order to secretly siphon data.

RCS is designed to covertly record emails, text messages, phone (or Skype) calls, GPS location, and take screenshots - before sending this information back to law enforcement agencies for inspection. It can be used to target almost any device or platform - Windows, OSX (operating system that runs on Mac computers), iOS (used by iPhones and iPads), Android, Blackberry, Symbian, Linux - and can infect a computer or phone by tricking a user into opening an fake document file.

The technology is controversial, not least because Hacking Team boasts in its own marketing materials that it can be deployed "country-wide" to spy on the communications of more than 100,000 people simultaneously.

Human rights groups say that it could, in the wrong hands, easily be abused to target activists, political opponents, or anyone else deemed a worthy target - and these concerns certainly appear to be well founded. As I reported for Slate last week, the first instance of Hacking Team's spyware being used for nefarious purposes has purportedly been found in Morocco, where a team of award-winning citizen journalists (and prominent critics of Morocco's government) were targeted with what security experts say they are certain is a version of Hacking Team's RCS spyware.

Due to the secretive nature of Hacking Team's work, there is much we still don't know about where and how this technology is being deployed. However, in the months ahead, I fully expect that more details about countries using Hacking Team's technology will inevitably emerge.

In the meantime, I've decided to share here a summary of the main issues and things I've discovered so far. The information comes from a combination of sources: primarily an interview I conducted with Hacking Team's co-founder David Vincenzetti in October 2011 (a portion of which appeared later in the Guardian), along with marketing materials and documents published in the WikiLeaks Spy Files in December. If you have information you would like to add - or if you have source material related to Hacking Team which has not yet entered the public domain - please contact me.

Who uses Hacking Team's spy technology?

Hacking Team refuses to divulge details about specific customers and/or countries it deals with. However, the company's co-founder told me in 2011 that it had sold the RCS spyware to "approximately 50 clients in 30 countries in all five continents" since 2004. The company's website says it only sells its software to governments and law enforcement agencies.

What is Hacking Team's technology used for and why?

Hacking Team says its spy software is necessary in a world where terrorists and other serious criminals are constantly crossing borders, using various devices to communicate while sometimes using encryption. RCS allows law enforcement agencies to bypass encryption by recording data before it becomes encrypted. It also allows them to monitor targets across borders and gives them access to data that they might otherwise find very hard to otherwise obtain, such as photographs or document files stored on hard disks.

Most western democracies have laws governing the use of surveillance technology of this kind, and will use it only when they believe it necessary to detect or prevent serious criminal activity. The fear held by human rights groups is that Hacking Team's technology may have been sold to countries that do not have strict laws governing its use, which could mean that it is being abused to target, for instance, pro-democracy activists.

The fact that Hacking Team openly advertises that its software can be used to spy on hundreds of thousands of people's communications is a particular cause for concern, as it is difficult to conceive of any situation where the mass interception of communications on this scale could be justified.

(Note: A French company that in 2007 sold Gaddafi's Libyan regime surveillance technology, used to spy on dissidents, is currently facing a judicial probe for alleged complicity in crimes against humanity.)

What is Hacking Team's position on potential human rights violations?

In the words of David Vincenzetti: "We pay the utmost attention to whom we are selling the product to. Our investors have set up a legal committee whose goal is to promptly and continuously advise us on the status of each country we are talking to. The committee takes into account UN resolutions, international treaties, Human Rights Watch and Amnesty International recommendations."

What kinds of communications can RCS record?

The short answer is: everything. RCS has the capacity to record emails, Skype chats, instant messenger conversations, and text messages. It can log keystrokes (and passwords), mine documents from a hard drive, and steal private encryption keys. The software also has a function called "remote audio spy" which can be used to turn on a laptop or mobile phone's microphone, recording audio from a device without its user's knowledge.

Won't anti-virus software pick up RCS?

Hacking Team boasts that its spyware is "stealth" and "is totally invisible to the target. Our software bypasses protection systems such as antivirus, antispyware and personal firewalls."

How much do governments and LEAs pay for Hacking Team's technology?

According to David Vincenzetti: "RCS is a complex system and its price varies greatly depending on the number of targets to be monitored and the features included in it. RCS can be used for monitoring just a few targets (tactical use) or for monitoring targets 'country-wide', that is, hundreds of thousands of targets. Just to provide you with a very approximate price figure, I can tell you that a medium-sided installation might cost 600k euros." (€600,000 = £475,000 or $751,000.)

Who are the people that work at Hacking Team?

Hacking Team was founded in 2003 by self-described "serial entrepreneurs" David Vincenzetti and Valeriano Bedeschi. Valeriano and Vincenzetti say they have been working together in computer security for more than 20 years and Hacking Team is their fourth company. Their previous company was called Intesis srl, a software firm Vincenzetti describes "one of the most successful ventures in the Italian IT market." Since 2007 Hacking Team has had venture capital backing from two Italian funds: Innogest and Finlombarda.

The company employs around 35 people, and as of August 2012 was recruiting a "Field Application Engineer" to "guide them [our customers] through the process of learning, testing and adopting our Solution." It added that prospective candidate must be "willing to travel all over the world!" (Screenshot, 27 August, 2012.)

How does Hacking Team design its surveillance tools?

An interesting insight into the type of software programming used by Hacking Team was offered by a job vacancy description posted on its website in 2012. Hacking Team said it was looking for a "hacker / developer" with knowledge of the following: "C++, Objective-C, some x86 or ARM Assembly, Ruby or Python, ActionScript or reversing skills. Design Patterns and Agile Programming are a must."

In layman's terms, this means Hacking Team uses a series of programming languages used on different devices (Macs, PCs, mobile phones), and also works with code (Actionscript) primarily used with Adobe Flash Player. Many Trojan-style tools exploit security flaws in Adobe Flash Player to infect users with spyware.

UPDATE I, 10 October 2012: A new report by Citizen Lab security researchers has found evidence suggesting Hacking Team's surveillance spyware was used to target a prominent activist in the United Arab Emirates. Similar to the tactic used against the Moroccan journalists (see above), an email was sent to the UAE activist that tricked him into downloading the spyware. The email claimed to be from "Arabic WikiLeaks" and included a link to an infected file purporting to be a .doc file named "veryimportant". Hacking Team has so far not issued comment. Read more details in my report for Slate, here.

UPDATE II, 25 April 2013:
In February, a detailed analysis by a researcher at Russia's Kaspersky Lab dissected Hacking Team's spy technology. Notably, the Kaspersky researcher claims to have found "about 50 incidents" in which Hacking Team's surveillance tool was used in countries including Italy, Mexico, Kazakhstan, Saudi Arabia, Turkey, Argentina, Algeria, Mali, Iran, India and Ethiopia. An updated Kaspersky analysis in April states that it has detected Hacking Team's technology in 37 countries. The highest number of attacks using the spy tool were found in Mexico, Italy, Vietnam and the United Arab Emirates. However, a small handful of attacks on users allegedly involving the Hacking Team technology were also detected in Iraq, Lebanon, Morocco, Panama, Tajikistan, India, Iran, Saudi Arabia, South Korea, Spain, Poland, Turkey, Argentina, Canada, Mali, Oman, China, the United States, Kazakhstan, Egypt, Ukraine, Uzbekistan, Colombia, Taiwan, Brazil, Russia, Kyrgyzstan, the United Kingdom, Bahrain, Ethiopia, Indonesia, Germany, and Libya.